Black Hat DC 2009 Briefings and Training

February 16-17

The Exploit Laboratory:
Analyzing Vulnerabilities and Writing Exploits

Saumil Udayan Shah

Overview:

Have you ever found yourself staring at a vulnerability advisory with some proof-of-concept snippets and wished the author had rather attached a working exploit with it? Have you wished you could analyze vulnerabilities and write your own exploits for them? Have you wanted to debug and exploit custom built applications and binaries? Now in its third year, the Exploit Laboratory brings you an action packed teaching you the art of vulnerability analysis and exploitation from the ground up. The Exploit Laboratory starts off with a basic insight into system architecture, process execution, operating systems and error conditions. The class then quickly accelerates to analysing vulnerabilities with debuggers, reproducing reliable error conditions and writing working exploits for the same. The Exploit Laboratory features popular third party applications and products as candidates for vulnerability analysis and exploitation, rather than building up on carefully simulated lab exercises. Most of the class time is spent working on lab exercises and examples.

Lab examples and exercises used in this class cover both the Unix (Linux) and Microsoft Windows platforms, illustrating various error conditions such as stack overflows, heap overflows and format string bugs (time permitting). The latter part of the class focuses on topics such as bypassing protection mechanisms, multi-stage payloads, integrating your own exploits into frameworks such as Metasploit, etc. All this - delivered in a down-to-earth, learn-by-example methodology, by trainers who have been teaching advanced topics in computer security for over 9 years.

This class is updated from the 2008 edition, featuring new content on heap overflows, abusing exception handlers and more hands-on examples based on recent vulnerabilities. The class features Mac OS X exploitation, for the first time.

This class does NOT require knowledge of assembly language. A few concepts and a sharp mind is all you need.

Learning Objectives:

Understanding Error Conditions
Types of error conditions: Stack Overflows, Heap Overflows, Format String bugs, etc.
Process execution and memory map under Linux and Windows
Debugging applications and sharpening debugging skills, using GDB and WinDBG
Putting together an exploit
Shellcode - various types of shellcode and functionality
Crafting the attack vector and payload
Making the exploit work reliably
Stack overflows on Linux and Windows
Return to stack vs. Return through registers
Abusing Structured Exception Handlers
Heap overflows in Linux
Overwriting the Global Offset Table
Heap overflows in Windows
Format string bugs [time permitting]
Browser exploitation [new]
Using and extending the Metasploit framework [time permitting]
Exploits on Mac OS X [new]
Defeating Browser memory protection and DEP [new]

Who Should Attend

Pen-testers, Security analysts, Security auditors, who want to take their skills to the next level and write their own exploits instead of borrowing them.
Developers and Project managers, who want to understand what can happen to poorly written code.
Members of internal product security groups, who want to pen-test custom binaries and exploit custom built applications.
System administrators, who want to follow a more "pro-active" approach in enforcing security measures.
Just about anyone curious about vulnerabilities and exploits.

Participants Are Required To:

Have a working knowledge of operating systems, Win32 and Unix.
Not be allergic to command line tools.
Use vi/pico/joe editors.
Have a working knowledge of shell scripts, cmd scripts or Perl.
Understanding of C programming would be a bonus.

What to bring:

A working laptop with the following hardware/software requirements:

Hardware Requirements:

A working laptop with the following hardware/software requirements: Hardware Requirements:
Intel(ish) X86 hardware required
512MB RAM required, at a minimum, 2GB preferred, and anywhere in between shall be tolerated
Wired 10/100 Network card (no wireless network in class)
CDROM drive (built-in or portable. This is a must)
8 GB free Hard disk space

Operating Systems (one of the following):

Windows XP SP2
Windows Vista DOES NOT WORK (you have been warned)
Administrator access mandatory
Ability to disable Anti-virus / Anti-spyware programs
Ability to disable Windows Firewall or personal firewalls
Active Perl 5.8 or above from activestate.com
An SSH client, such as PuTTY
Firefox browser

-OR-

Linux kernel 2.4 or 2.6
Kernel 2.4 or 2.6 required
Root access mandatory
Ability to use an X-windows based GUI environment
Perl 5.8 should be available
SSH should be available

MAC OS X is not "officially" supported in this class. However, participants have successfully used Intel based MacBooks or MacBook Pros in previous classes. The ultra sleek MacBook Air won't work - unless you bring along a portable DVD drive and a wired Ethernet adapter of some sort. All Mac OS X users are required to bring their copies of VMWare Fusion as long as you can run virtual machine images created in VMWare Workstation 5 and above.

Windows Vista is also NOT supported in this class. Vista's protection features break many simple tools such as Netcat. We are not "competent enough" to troubleshoot Vista issues.

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Trainer:

Saumil Udayan Shah

Founder and Director, Net-Square Solutions Pvt. Ltd.

Saumil continues to lead the efforts in e-commerce security research at Net-Square. His focus is on researching vulnerabilities with various e-commerce and web-based application systems. Saumil also provides information security consulting services to Net-Square clients, specializing in ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than nine years experience with system administration, network architecture, integrating heterogeneous platforms and information security and has performed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a regular speaker at security conferences such as Black Hat, RSA, etc.

Previously, Saumil was the Director of Indian operations for Foundstone Inc, where he was instrumental in developing their web application security assessment methodology, the web assessment component of FoundScan - Foundstone's Managed Security Services software and was instrumental in pioneering Foundstone's Ultimate Web Hacking training class.

Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young, where he was responsible for the company's ethical hacking and security architecture solutions. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member there.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, information security, and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996).